Web Service running 22.09.0 can experience an issue where searches from the web can return a black screen and then become stuck in that state. The web service must be restarted to clear the issue, but it will likely reoccur.
Product
ExacqWebService 22.09.0
Solution
Update to exacqVision Web Server 22.09.1 or higher
HTTP to HTTPS redirect implementation is broken and always supplies and internal IP address for the redirect, leading to any and all redirect from outside of the local network to fail.
Product
exacqVision Web Server 22.03
Steps to Reproduce
Configure HTTPS on the web service, either external or ACME
When installing the web service the Service’s do not show up. The install seems if it completed successfully but does not create a service.
After installing the latest version of the Webservice the control panel and service page looks like this: You can see the application installed but the services do not.
Check to see if nvrg.exe is installed in the BIN folder. Run the Command Prompt as ADMIN: Note: You have to be in the bin directory or use full path. Type the following in CMD: cd C: \Program Files (x86) or (x64)\exacqVision\WebService\bin Then run: wfe.exe -k install IF you get the follow error we need to Make Sure that this error shows before moving to correcting the registry. If this does not give an error then do not move to the registry and escalate the case.
ERROR: If you get the above error: “this registry key already exists” seen as the return from the command follow the steps below to correct the install.
Run RegEdit as ADMIN and navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\webservice
You will delete the whole webservice key seen above. Delete the Folder in the left panel only.
Once that is done you can re run the command above and if it runs successfully you can validate the service shows up in the services. If it does start the service and in a browser browse to 127.0.0.1 (list port intended).
In this example using Letsencrypt SSL certificates. The webservice is behind HAProxy and was not been able to successfully configure HAProxy to update Letsencrypt certificates over HTTP. Therefore, I manually updated the certificate. /etc/webservice/tls/server.crt _> /etc/letsencrypt/live/site.com/cert.pem
After updating the certificates, I linked the original to the new certificates in the Letencrypt folder: When I try to connect to the webservice, I get this error message sent an invalid response. ERR_SSL_PROTOCOL_ERROR’.
The destination of his symlink, not the symlink itself, needs to be readable by the nvrweb user. In this example the directory that the symlink did not have permissions to allow the link to work correctly.
The best way to be sure would be to run terminal command sudo -i to root and then run su nvrweb -s /bin/bash and try to view the files (e.g., cat the paths listed in the config file). This should give you an out put.
We also need to make sure nvrweb can read the cert files /etc/webservice/tls/server.crt and .key The output will show the certs.
nvrweb@sunstone:/root$ cd /etc/webservice nvrweb@sunstone:/etc/webservice$ cat tls/server.crt —–BEGIN CERTIFICATE—– Contents of cert will be displayed here. —–END CERTIFICATE—–
nvrweb@sunstone:/etc/webservice$ cat tls/server.key —–BEGIN PRIVATE KEY—– Contents of Cert will be displayed here —–END PRIVATE KEY—–
These certs were in the TLS directory and being linked to the Letsencrypt folder, which we found having permissions issues.
To check try the following: Try the same thing with su to nvrweb and see if nvrweb can access the certs in the let’s encrypt folder, before changes WS config. Important to note that it’s not just the permissions of the target file that matter, but all the directories in between. In this case the target file was fine but the directory was LetsEncrypt and that did not have permissions. Since we were pointing the link to another file, that file needs to be accessible to nvrweb.
ls -ld for each directory – /etc/letsencrypt, /etc/letsencrypt/live, /etc/letsencrypt/site.com
Without -d it will show the contents, if you want to look at the directory like /etc/letsencrypt it’s necessary to do ls -ld /etc/letsencrypt
The site.com directory is fine. We need to check the live or letsencrypt directories. letsencrypt live directory’s permissions are rwx—- which means only root can enter or read the directory.
In the above photo we can see that the Permission is denied for the letsencrypt/live folder.
Configuration this way in not the normal process and it is possible the next time I run letsencrypt again to update certs it might error due to perms or reset them. The process might need to be done each time.
By default, exacqVision Web Service restricts configuration to the browser on the local machine. Through the configuration, a user can disable this restriction to enable remote configuration. However, there could be a need to manually remove this restriction (such as when installing the Web Service in a virtual environment, such as exacqVision Virtual).
<br>
To manually enable remote configuration, complete the following steps:
<br>
NOTE: These instructions assume that the file to edit does not contain any text. If it has previously been changed, merge the changes specified here into the existing file.
With administrator credentials, open the file .evws-login for editing. By default, this file is found in Windows at C:\Program Files (x86)\exacqVision\WebService\bin\.evws-login, or in Linux at /etc/.evws-login.
Add the following into the file:
[Settings] restricttolocalhost = 0
Save the file.
Restart the Web Service.
<br>
After restarting, the Web Service will have remote administration enabled.
<br>
You can also use the Web Service Configuration page to deselect the Enable Localhost Restriction option.
exacqVision 7.2 introduces native h.264 video streaming to the web client. When a browser session connects to the web service, the browser and web service negotiate whether transcoding or native streaming will be used. The following logic describes how this is negotiated:
If the browser does not support web sockets, fall back to polling (traditional method).
This includes IE8 and 9.
Since IE8 does not support the HTML5 element, it plays back by displaying the image element directly.
If the user has disabled software decoding on the client configuration page, use web sockets JPEG.
This method is similar to traditional polling, but the delivery mechanism causes frames to be sent as they are generated.
If the camera is not native H.264, use web sockets JPEG.
This includes digital PTZ “cameras” whose parent camera may be h.264, but as a virtual camera, they are not.
If the camera’s resolution is 167% larger than the panel, use web sockets JPEG.
There is very little gain in rendering native h.264 on small panels.
At this point, the camera will attempt native h.264 decoding. If it succeeds, it will play back using software decoding. Otherwise, it will fall back to web sockets JPEG.
When logging into the web service with a user queried against LDAP, either through the client or the mobile app, the user is logged in but the exacqVision admin access permissions set for the user are incorrectly disabled. In this situation, even if the user has permissions to configure the server, the options to do so are not displayed.
<br>
Workaround
Downgrade to prior version of the web service or evAPI
The version of Apache embedded in the web service has been found to expose a security vulnerability, known as “httpoxy” (technical details: CVE-2016-5387). This vulnerability can be avoided by changing the configuration of Apache.
